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Method and Apparatus For Generating 
Hierarchical Keys of Digital Assets 

BACKGROUND 

5 

Technical Field 

The present invention relates to a method for managing keys of digital assets, in particular, 
to a method for generating hierarchical keys of digital assets. 

10 

Background Art 

In recent years, many aspects of the daily lives of people have gone digital. In order to 
protect digital assets, cryptography has been widely used, and thus leading to the need of 
cryptographic key management. Since the amount of digital assets to be protected is 
1 5 constantly growing, the management of cipher keys is a challenge. 

Cipher key management includes three basic features: (1) key generation: generating 
secure cipher keys for digital assets; (2) key storage: storing the cipher keys in a secure 
manner; and (3) key distribution: delivering the cipher keys to the legal users. 

20 

An example of key management is described below. Suppose that in a mature and reliable 
e-learning system, all lectures (teaching materials) should be ciphered with different keys, 
and all authorized users who have paid for these lectures should get the keys to the lectures. 
In a conventional method, a key management system first generates keys for each lecture, 
25 and then stores all of the keys in a database. When a user has paid for some assets, the key 
management system delivers the corresponding asset keys to the user. 

The conventional key management system usually works well, but as the amount of digital 
assets becomes excessive, cipher key management can become quite costly. For example, 

-l- 



CN92003004US1 



Express Mail Label Number ER970479680US 

if there are 100,000 lectures in the e-learning system, and a user subscribes and pays for 
20,000 lectures therein, then 20,000 keys corresponding to these lectures should be 
securely delivered to the user. There are two possible ways to deliver these keys: (1) 
delivering the 20,000 keys in advance; and (2) delivering the key whenever the user needs. 

5 Obviously, the former is not flexible, since these lectures may be upgraded later, and there 
may be some supplemental lectures or some lectures may be combined, these changes 
cannot be automatically reflected in the 20,000 keys the user has already got, i.e., the user 
may not get those changed lectures. Compared to this, though the latter does not have the 
above disadvantages, it is quite costly, since a user may request up to 20,000 times in order 

10 to fetch all these keys. 

There are two predominant kinds of key management systems in the protection of digital 
media: Conditional Access (CA) system for pay-TV and Digital Rights Management 
(DRM) system for the Internet. In CA systems, there is only one key for all the programs 

15 within one month, except for some special pay-per-view programs, so the user cannot 
subscribe to the programs for, e.g., a single day or even a single hour. CA thus lacks 
flexibility. In DRM systems, each time a user buys a content, the server retrieves the key of 
the content, but when the volume of users and assets becomes excessively large, the load 
on the server becomes quite heavy. A main problem of both CA and DRM systems is that 

20 they focus on the key storage and distribution, not the key generation. 

Summary of the Invention 

In order to solve the problems in the above-mentioned CA system and DRM system, it is an 
25 object of the present invention to provide a method for generating hierarchical keys of 
digital assets. In the hierarchical key generating method of the present invention, all the 
assets are managed in a tree structure, wherein the tree structure comprises group nodes 
and leaf nodes, each group node including a root node and other group nodes being 
non-root nodes, and each node corresponds to different collections in the digital assets. 

-2- 



CN92003004USI 



Express Mail Label Number ER970479680US 

Each higher level node is called a father node of its lower node, and each lower node is 
called a child node of its higher node. In the present invention, only the key of the root node 
is given randomly, while the keys of other nodes can be obtained by computing by using a 
one-way function according to the key of the father nodes of the nodes. 

5 

Therefore, in order to achieve the above object, the present invention provides a method for 
generating hierarchical keys of digital assets, comprising the steps of: arranging the digital 
assets as at least one tree structure for management, a root node of the tree structure 
representing the complete set of the digital assets, other group nodes representing sub-sets 
10 in each level of the digital assets respectively, and the nodes in the lowest level being leaf 
nodes; generating the key of the root node; and starting with the key of the root node, using 
the key of a father node to compute level by level the keys of its child nodes according to a 
predetermined function, through to leaf nodes. 

1 5 The present invention also provides an apparatus for generating hierarchical keys of digital 
assets, comprising: a key tree management unit for arranging the digital assets as at least 
one tree structure for management, a root node of the tree structure representing the 
complete set of the digital assets, other group nodes representing sub-sets in each level of 
the digital assets respectively, and the nodes in the lowest level being leaf nodes, the 

20 apparatus further comprising: a root node generating unit for generating the key of the root 
node; and a computing unit for starting with the key of the root node, using the key of a 
father node to compute level by level the keys of its child nodes according to a 
predetermined function, through to leaf nodes. 

25 The present invention also provides a server apparatus for managing hierarchical keys of 
digital assets, comprising: a key tree management unit for arranging the digital assets as at 
least one tree structure for management, a root node of the tree structure representing the 
complete set of the digital assets, other group nodes representing sub-sets in each level of 
the digital assets respectively, and the nodes in the lowest level being leaf nodes, said 
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server apparatus further comprises: a root key generating unit for generating the key of the 
root node; a first computing unit for starting with the key of the root node, using the key of 
a father node to compute level by level the keys of its child nodes according to a 
predetermined function, through to leaf nodes; and an encrypting unit for encrypting 
5 corresponding digital assets by using directly or indirectly the computed node keys. 

The present invention also provides a client apparatus for utilizing hierarchical keys of 
digital assets, wherein the digital assets are arranged as at least one tree structure for 
management, a root node of the tree structure representing the complete set of the digital 

10 assets, other group nodes representing sub-sets in each level of the digital assets 
respectively, and the nodes in the lowest level being leaf nodes, said client apparatus 
comprises: a second computing unit for, based on a node key received from a server 
apparatus, computing the keys of the nodes in lower levels of said node through to leaf 
nodes in turn by using a predetermined function; and a decrypting unit for decrypting the 

15 digital assets contained in all nodes by using the computed keys of all nodes. 

Although the present invention provides a method for generating keys, it is also very useful 
for key storage and key distribution. The amount of the keys generated according to the 
method of the present invention is greatly reduced, thereby saving a lot of costs needed for 
20 key storage and distribution, and having enough flexibility to support such changes as the 
insertion and deletion of assets. 

Brief Description of the Drawings 

25 The above features and advantages of the present invention will become more apparent 
through the following detailed description of a specific embodiment of the present 
invention, in conjunction with the drawings, in which: 

Fig. 1 is a schematic diagram of performing tree structure management on assets according 
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to the present invention. 

Fig. 2 is a schematic diagram of a system embodying the present invention. 

5 Fig. 3 is a flow chart showing a method for performing key management in server 1 
according to the present invention. 

Fig. 4 is a flow chart showing a method for performing key management in client 2 
according to the present invention. 

10 

Detailed Description 

The best modes for carrying out the present invention will be described hereinafter in 
1 5 conj unction with the drawings. 

Fig. 1 is a schematic diagram of performing tree structure management on the assets in an 
e-learning system according to the present invention. 

20 In the e-learning system of Fig. 1, all the lectures are digitaiized, and are organized as 
lectures in a tree structure. In the present invention, these digital lectures are all referred to 
as digital assets. In addition, the digital asset can be at least one of video, audio and text 
materials. Wherein, a node marked with 1 is a root node, which represents a main course, 
such as math, English or MBA course, etc. A node marked with 2 is a non-root group node 

25 (which can also be referred to as a child node). Each non-root group node represents a 
sub-course under the main course, such as nodes "math/geometry/" and "math/algebra/" 
subdivided under the main course node "math/", and nodes "math/geometry/triangle/" 
"math/geometry/rectangle/" subdivided under the node "math/geometry/", etc. The root 
nodes and the non-root group nodes both can be referred to as group nodes. And a node 
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marked with 3 is an asset node (which is also referred to as a leaf node, the lowest level of 
the tree structure), which includes various specific lectures in various courses, such as asset 
nodes "math/geometry/rectangle/introduction", "math/geometry/rectangle/ exercise" and 
"math/geometry/introduction", etc. 

5 

In order to organize these assets into the tree structure, three basic functions are required: 

(1) creating a root node which can be either a group node or an asset node (i.e., leaf node); 

(2) creating a group node in the lower level under a group node; (3) creating an asset node 
under a group node. 

10 

In addition, a group node can have a plurality of sub-nodes in multiple levels, in which the 
higher level node is referred to as the father node of the lower level node, and the lower 
level node is referred to as the child node of the higher level node. These child nodes can be 
either group nodes or asset nodes. The asset node includes specific digital assets (such as 
15 lectures), and it does not have child nodes. It can be seen from Fig. 1 that the asset 
management is similar to the ordinary file system, but it can have a plurality of root nodes. 

The key management of the above-mentioned e-learning system will become very easy. If 
a user demands for a course, he/she needs to simply get a key of the course, i.e., the key of 
20 a certain group node instead of all keys of various sub-courses under this course. If the user 
demands for only three lectures, he/she does not need to subscribe the whole course, three 
individual lecture keys should be enough for the user. 

For example, in Fig. 1, if the root node "math/" has a key Kl, then the group node 
25 "math/geometry/" will have a key K2=F(K1, "math/geometry/"). And the node 
"math/geometry/rectangle/" will have a key K3=F(K2, "math/geometry/rectangle/"). The 
last asset node (i.e., leaf node) "math/geometry/rectangle/introduction" will have key 
K4i=F(K3, "math/geometry/rectangle/introduction"). Likewise, the asset node "math/ 
geometry/rectangle/exercise" will have a key K4 2 =F(K3, "math/ 
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geometry/rectangle/exercise"), and the asset node "math/geometry/ rectangle/q&a" will 
have a key K43=F(K3, "math/geometry/rectangle/ q&a"). 

For example, in the above various keys, K4i or a part of K4i or the result derived from 
5 calculating K4i is used to encrypt assets in the asset node 
"math/geometry/rectangle/introduction", i.e., the lecture corresponding to the node. 

Of course, a cipher key can be assigned in advance to the asset node such as 
"math/geometry/rectangle/exercise" randomly or by other unit, then the cipher key 
10 assigned in advance is encrypted by using K4i or a part of K4i or the result derived from 
calculating K4i. 

In the embodiment of the present invention, the corresponding digital assets, i.e., the 
lectures, can be stored at the position of each group node, so as to the digital assets stored at 
15 the position of the corresponding node are decrypted by using directly or indirectly the 
keysKl,K2, K3 or K4. 

Here, F( ) is a one-way function representing an algorithm, the reverse algorithm of which 
is not computable. For example, y=F(x) is quite easy to compute, while the reverse 
20 function x= F" l (y) is quite impossible to compute. In addition, in the present invention, the 
one-way function F( ) can be provided by the server side to the client side, or can be 
embedded in the client without being provided by the server side to the client side. 

It is clear if a user has any one of keys Kl, K2, K3 and K4 (asset node keys K4i, K42 and 
25 K4 3 are referred to as K4 as a whole below), he/she can decrypt the assets (i.e., specific 
lectures) contained in the descendent nodes of the nodes corresponding to the key. In 
general, if a key of a group node is given, then in fact the keys of all the descendant nodes 
of the group node are given, since the user can compute all the keys of the descendent 
nodes of the node from the key of the node. For example, the user can compute the keys 
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K4i, K4 2 , K4 3 of descendent asset nodes of the node key K3 from the node key K3. Thus if 
a user is entitled to a group of assets, then simply giving him/her the key of the group node 
is enough. 

5 For example, if user A is assigned with a group key K3 5 then user A can decrypt any assets 
under the group node "math/geometry/ rectangle/" including of course various assets to be 
changed in the future (such as modified, added or deleted, etc.). For example, even if there 
is no asset "math/geometiy/rectangle/future" in the system now, user A can decrypt the 
asset as soon as it becomes available, while no extra key distribution will be needed, and 
10 this saves a lot of cost for the future key distribution. 

A system embodying the present invention will be described hereinafter in conjunction 
with Fig. 2. 

15 Fig. 2 is a schematic diagram of a system embodying the present invention. 

The system in Fig. 2 can be for example an e-learning system (of course the systems of 
other usage can also be suitable) comprising a server 1 and a client 2 connected with each 
other. Of course the server 1 and the client 2 can also be connected with each other through 
20 such a network (not shown) as the Internet, an enterprise network or an LAN. 

In addition to such general units as a CPU, a bus and a memory (ROM, RAM etc.) (not 
shown), the server 1 also comprises a key generation unit 19 for generating needed keys. 
The key generation unit 19 comprises a root node key generating unit 14 for generating a 
25 root node key randomly or by other means; and a first computing unit 16 for using a 
function such as an one-way function to compute level by level the keys of various 
sub-nodes of the root node, through to leaf nodes, based on the root node key. In the 
meantime, the server 1 also comprises an encrypting unit 17 for using the computed key to 
encrypt the assets in corresponding nodes, such as teaching lectures and etc. (in addition, a 
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cipher key is assigned in advance to an asset node such as "math/geometry/rectangular/ 
introduction" randomly or by other means, then the cipher key assigned in advance is 
encrypted by using the result derived from performing calculation on the computed key 
using all or a part of the computed keys); and a key tree management unit 12 for creating a 
5 key tree structure, maintaining the created tree structure, and storing and managing the 
computed keys. 

In addition, the sever 1 also comprises a first communication port (not shown) for receiving 
a request from the client 2 through a corresponding connection line or a network, and 
10 transmitting the requested contents and keys, etc. to the client 2. 

In addition to such general units as CPUs, bus and memory (ROM, RAM etc.) (not shown), 
the client 2 also comprises a second computing unit 26 for using an algorithm program 
received from the server 1 or embedded internally to compute the keys of needed 
15 sub-nodes level by level based on the node keys received from the server 1, so as to 
compute finally the key of the needed asset node; and a decrypting unit 27 for decrypting 
the needed assets such as teaching lectures by using the computed keys of the nodes. 

In addition, the client 2 also comprises a second communication port (not shown) for 
20 transmitting a request to the server 1 through a corresponding connection line or a network, 
and receiving the requested contents and keys, etc. from the server 1. 

Of course, in the communication between the above server 1 and client 2, the encrypted 
assets and the node key needed by the client 2 can be transmitted simultaneously by the 
25 server 1 to the client 2, or can be transmitted separately. For example, in the present 
invention, the server 1 only transmits a corresponding node key to the client 2 upon its 
request, the encrypted assets and etc. can be transmitted to the client 2 at other time by 
other means, e.g., the encrypted assets can be transmitted to the client 2 via an optical disc, 
etc. 
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The above first computing unit 16 and second computing unit 26 can be implemented by 
executing a corresponding software program on the CPU, or can be implemented by a 
hardware obtained by solidifying a certain software program into the unit such as a CPU. In 

5 addition, the root node key generating unit 14, the first computing unit 16 and the 
encrypting unit 17 in the server 1 are not limited to the above mentioned configuration, but 
can be implemented by only one unit integrating their functions together. The root node 
key generating unit 14 and the first computing unit 16 therein are also not limited to the 
above-mentioned configuration, and they may not be contained in the key generation unit 

10 19, but can be independent from the key generation unit 19. The second computing unit 26 
and the decrypting unit 27 in the client 2 are not limited to the above-mentioned 
configuration, but can be implemented by only one unit integrating their functions 
together. 

15 In addition, the above units are not limited to only being contained in the server 1 and the 
client 2 respectively, but can be arranged outside the server 1 or the client 2 in an operable 
connection manner. 

The key management method of the present invention will be described in details 
20 hereinafter in conjunction with Fig. 3. 

Fig. 3 is a flowchart showing a method for performing key management in the server 1 
according to the present invention. 

25 In which, at step S 1 00, the key tree management unit 1 2 creates the tree structure of assets. 
A plurality of tree structures can be created according to the category and size of the assets, 
as shown in Fig. 1. Then the process proceeds to step SI 04. 

At step SI 04, the root node key generating unit 14 in the server 1 generates the key Kl of 
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the root node of the asset tree structure, and transmits the key Kl to the first computing unit 
16. The root node key Kl can be generated randomly or by other means of course. 

Then at step SI 06, the first computing unit 16 computes level by level the keys of 
5 sub-nodes, through to the key K4 (K4j, K4 2 and K4 3 ) of the asset node (i.e., leaf node), by 
using an one-way function F() based on the generated root node key Kl, and encrypts the 
corresponding assets by using the computed asset node key K4 or a part of K4. Specifically, 
the first computing unit 1 6 first, based on the generated root node key, computes the key of 
the sub-node (maybe a group node) of the root node, here it is the key K2 of the group node 
10 "math/geometry/" by using an one-way function, and then computes, based on the group 
node key K2, the key of the sub-node of the group node (maybe another group node or a 
asset node), here it is the key K3 of the group node "math/geometry/ rectangular/". 
Computation is performed like this level by level until the final asset node key K4 
(including K4i, K4 2 and K4 3 ) is obtained. 

15 

After obtaining the final key K4 of the asset node, the server 1 encrypts the assets included 
in the nodes by using corresponding node keys. 

In the above mentioned computing process, the computing procedures for computing the 
20 keys of the nodes can be identical or different. In addition, even if all the nodes have the 
same father node, the obtained keys of these nodes are also different. For example, though 
asset nodes "math/geometry/rectangular/introduction", "math/geometry/ 
rectangular/exercise" and "math/geometry/rectangular/q&a" have the identical father node 
"math/geometry/rectangular/", the keys K4i, K4 2 and K4 3 they possess respectively are 
25 different from each other, thereby ensuring each asset has higher security. 

Next, the process proceeds to step SI 07. At step SI 07, the server 1 determines whether or 
not a request for certain assets is received from the client 2. And if no request for certain 
assets is received from the client 2, then the server 1 continues to be in a standby state until 
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receiving a request from the client 2. 

If it is determined at step S 1 07 that a request for certain assets is received from the client 2, 
such as a request for the asset in the node "math/geometry/rectangular/introduction", then 
5 the process proceeds to step S 1 08. 

Next at step SI 08, the server 1 transmits the corresponding key of the node requested by 
the client 2 to the client 2. Of course, the encrypted assets requested by the client 2 can be 
transmitted to the client 2 collectively or separately. 

10 

After finishing the process at step SI 08, before the process in the server 1 returns to step 
SI 07, the process is in a standby state to wait for receiving next user request. 

Of course, in the embodiment in the present invention, after the server 1 receives the 
15 request from the client 2, an authentication process can be included for checking whether 
the client 2 having sent the request is a legal user of the requested asset, e.g., whether the 
client 2 has paid for its requested asset, etc. 

In addition, in the embodiment of the present invention, the server 1 can, in the course of 
20 the above process, also accept instructions from an administrator through an input interface 
(not shown), modify the asset tree structure and perform adding/amending/deleting 
processes on the contents of the asset according to the instructions of the administrator, and 
perform such processes as regenerating a root key, computing the keys of various nodes in 
various levels and encrypting the modified asset content, etc. according to the modified 
25 asset tree structure. 

The application of the key management method of the present invention in the client 2 will 
be described hereinafter in conjunction with Fig. 4. 
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Fig. 4 is a flowchart showing a method for performing key management in the client 2 
according to the present invention. 

In Fig. 4, at step S200, the client 2 receives, through an input unit (not shown) from a user, 
5 a request for decrypting a certain encrypted asset, such as assets in the node 
"math/geometry/rectangular/". After receiving the request, at step S202, the client 2 checks 
a local key database (not shown) to determine whether or not a key for decrypting the 
encrypted asset requested by the user, such as key K3, is stored in the local key database. In 
the above key database stored all the keys received previously from the server 1 by the 
10 client 2. Then the process proceeds to step S204. 

At step S204, the client 2 determines whether or not there stored in the local key database 
the asset node key K3 for decrypting the asset in the node "math/geometry/rectangular/", 
or the group keys of its various higher level nodes. 

15 

If at step S204 it is determined that the asset node key K3 for decrypting the assets in node 
"math/geometry/rectangular" is stored in the local key database of the client 2, then the 
locally stored node key K3 is used to decrypt the assets in the corresponding node 
"math/geometry/ rectangular/". In addition, if necessary, for example if the asset node key 
20 K4 is still needed to decrypt the assets of the lower level node of the node 
"math/geometry/rectangular/" such as the assets in the asset node 
"math/geometry/rectangular/introduction", then the second computing unit 26 computes 
the needed asset node key K4i by using the locally stored node key K3, and decrypts the 
corresponding assets by using the asset node key K4i. 

25 

If the key of the group node in the upper level including the requested node is stored in the 
key database of the client 2, then second computing unit 26 computes the key K3 of the 
needed asset node level by level by using the locally stored group node key Kl or K2, 
computes, if necessary, the asset node key K4i, and decrypts the corresponding assets by 
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using the node key K3 and asset node key K4i. 

If at step S204 it is determined that no requested group key or node key K3 is stored in the 
key database of the client 2, then the client 2 at step 208 sends a request for key K3 to the 
5 server 1 . Then the process proceeds to step S210. 

After the server 1 authenticates that the client 2 is a legal user, at step 210, the client 2 
receives the key K of the corresponding node from the server 1, which may be either K3 or 
a higher level group node key of K3, such as Kl or K2. 

10 

At step S212, the client 2 determines that the received key K is either the requested node 
key or the key of its higher level group node. 

If it is determined that the received key K is the key of the upper level group node (in the 
15 embodiment of the present invention, it is determined to be Key K3 of the group node 
"math/geometry/ rectangular/" ), then at step S214, according to the received key K3, the 
keys of asset nodes corresponding to the requested asset, such as K4i, K42 or K43, are 
computed level by level by using an internally embedded algorithm program in the client 2, 
and the requested assets are decrypted by using the computed asset node key K4i, K42 or 
20 K43 as well as the received node key K3. The above mentioned process of computing keys 
level by level is identical to that of step SI 06 in the server 1, so the detailed description 
thereof is omitted. 

If at step S212 it is determined that the received key is the requested asset node key, e.g., 
25 when the client 2 requests to decrypt the asset node 
"math/geometry/rectangular/introduction ,, , the node key received from the server 1 is K4, 
then the process proceeds to step S216. At step S216, the client 2 determines that the 
received node key is the key K4i of the requested asset node, so the client 2 no longer 
computes level by level, but directly uses the received key K4i to decrypt the obtained 
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encrypted asset. 

In the above process of determining which node key corresponds to the received node key, 
it can be performed by using the ID which is added into the key by the server 1 when 
5 generating the key, of course it can also be performed by using other means known by those 
skilled in the art. 

The above mentioned method of the present invention for generating root node keys can 
also be as follows, i.e., the server 1 does not store in advance the key of corresponding root 
10 node and all level keys computed level by level before receiving the request of the client 2, 
but generates the key of the root node and then computes all level keys level by level after 
receiving the request of client 2. 

It can be known from the above description that, in the method of the present invention, 
15 since it is enough that the server 1 stores only the key of the root node before receiving a 
request from the client 2, or does not need to store the keys at all, the method of the present 
invention can reduce the storage requirement for asset keys. And the distribution of keys is 
also simplified: suppose a user is entitled to use 20,000 assets, he/she only needs to obtain 
several (may be 20, for example) group node keys instead of 20,000 keys. Thereby the 
20 need of bandwidth for transmitting keys over a network is greatly reduced, and a lot of 
costs needed for key storage and key distribution are saved. 

Program Product 

The invention may be implemented, for example, by generating the hierarchical keys of the 
25 digital assets through a software application (as database management system or content 
management system element), a dedicated processor, or a dedicated processor with 
dedicated code. The software application executes a sequence of machine-readable 
instructions, which can also be referred to as code. These instructions may reside in various 
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types of signal-bearing media. In this respect, one aspect of the present invention concerns 
a program product, comprising a signal-bearing medium or signal-bearing media tangibly 
embodying a program of machine-readable instructions executable by a digital processing 
apparatus to perform a method for generating hierarchical keys of digital assets. 

5 

This signal-bearing medium may comprise, for example, memory in server. The memory 
in the server may be non-volatile storage, a data disc, or even memory on a vendor server 
for downloading to a processor for installation. Alternatively, the instructions may be 
embodied in a signal-bearing medium such as the optical data storage disc. Alternatively, 

10 the instructions may be stored on any of a variety of machine-readable data storage 
mediums or media, which may include, for example, a "hard drive", a RAID array, a 
RAMAC, a magnetic data storage diskette (such as a floppy disk), magnetic tape, digital 
optical tape, RAM, ROM, EPROM, EEPROM, flash memory, magneto-optical storage, 
paper punch cards, or any other suitable signal-bearing media including transmission 

15 media such as digital and/or analog communications links, which may be electrical, optical, 
and/or wireless. As an example, the machine-readable instructions may comprise software 
object code, compiled from a language such as "C++". 

Additionally, the program code may, for example, be compressed, encrypted, or both, and 
20 may include executable files, script files and wizards for installation, as in Zip files and cab 
files. As used herein the term machine-readable instructions or code residing in or on 
signal-bearing media include all of the above means of delivery. 

While the foregoing disclosure shows a number of illustrative embodiments of the 
25 invention, it will be apparent to those skilled in the art that various changes and 
modifications can be made herein without departing from the scope of the invention as 
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defined by the appended claims. Furthermore, although elements of the invention may be 
described or claimed in the singular, the plural is contemplated unless limitation to the 
singular is explicitly stated. 
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